You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Marcono1234 (Jira)" <ji...@apache.org> on 2021/12/26 22:58:00 UTC

[jira] [Created] (LOG4J2-3290) NetUtils.getLocalIps() is error-prone

Marcono1234 created LOG4J2-3290:
-----------------------------------

             Summary: NetUtils.getLocalIps() is error-prone
                 Key: LOG4J2-3290
                 URL: https://issues.apache.org/jira/browse/LOG4J2-3290
             Project: Log4j 2
          Issue Type: Bug
            Reporter: Marcono1234


The method {{org.apache.logging.log4j.core.util.NetUtils.getLocalIps()}} is error-prone:
- It does not document in which format the returned IP addresses are. IPv6 addresses are not enclosed in square brackets, and may have an optional scope id, e.g. {{1080:0:0:0:8:800:200C:417A%eth3}}. This should be documented because some callers might expect enclosing square brackets.
- Its results include temporary IP addresses. This causes the following issues, when during the runtime of an application the IP addresses are re-assigned by the provider:
-- If the results of {{getLocalIps()}} were cached, parts of the application might break due to IP address change, because the newly assigned IP address is not considered a 'local IP' anymore.
-- It might allow circumventing IP address filters when a malicious actor manages to get the previous IP address as their new address.

{{NetUtils.getLocalIps()}} was only introduced for {{JndiManager}}, however with the recent changes the method does not appear to be used anymore (see LOG4J2-3242). Therefore, it might also be an option to remove the method again.




--
This message was sent by Atlassian Jira
(v8.20.1#820001)